2

Default ACLs on a directory are inherited by files and subdirectories created under that directory.

It seems a common requirement that by default subdirectories should be executable (i.e. cd-able) but files should not.

How can I set separate default (i.e. to be inherited) ACLs for subdirectories and (child-) files, or otherwise achieve this effect?

Addendum:
Raspberry Pi Model B, Raspbian, get/setfacl 2.2.51

cat /proc/version
Linux version 3.6.11+ (dc4@dc4-arm-01) (gcc version 4.7.2 20120731 (prerelease) (crosstool-NG linaro-1.13.1+bzr2458 - Linaro GCC 2012.08) ) #474 PREEMPT Thu Jun 13 17:14:42 BST 2013
Aaron J Lang
  • 385

2 Answers2

1

There is only one default, but when a file inherits an ACL, it gets modified by a mask which is set from the mode which programs set when they open a file for writing. (The mode is actually modified by the umask - the bits from the umask are removed, so mode 666 plus umask 002 becomes 664.) If the mode is 664 for example, the mask will be rw- which causes the x flag to be masked out for all named acls and for the group, so that effectively there is no execute permission. The mask is created from the group bits of the mode or the group bits of a chmod if that is used.

So if you create a normal file, it will have x set in the ACL but it will be masked. Directories are by default created with mode 755 or 775 (depending on umask), so that the mask will be rwx or r-x. So the x-flag in the ACL stays effective.

I was confused before with the capital X. That only applies when you set ACLs for multiple files at once. Then you can set the permission to X which will cause directories to have x and files will not.

Michael Suelmann
  • 1,085
  • 6
  • 7
  • I tried this solution prior to posting, however the capital X doesn't seem to stick: http://pastebin.com/dcZY07nD – Aaron J Lang Nov 04 '13 at 21:12
  • Sorry, I got confused about changing multiple ACLs at once and default ACLs. I corrected my answer. – Michael Suelmann Nov 04 '13 at 22:42
  • Should I use umask or set the mask in ACL? The former appears to restrict and the later allow permissions to be set. How do they interact, does one have priority? Does this not still require setting the mask differently for files and directories? – Aaron J Lang Nov 05 '13 at 09:09
  • The standard umasks 002 and 022 are both ok for this. All programs use a mode 666 or less when creating files, except when creating executable files, so the execute permission is never set when it shouldn't. So execute permission in a default ACL is totally ok (and needed so that subdirectories work). – Michael Suelmann Nov 05 '13 at 13:36
0

You can not set default file and dir permissions differently with ACLs. But the x permissions is not an issue either. Set the default ACLs to the corresponding directory permissions (i.e. rwx, r-x or ---): files will be created accordingly, without "visible" x.

Any file or directory created must be accompanied by a file permission mode (the corresponding system calls can not be invoked without that parameter). In most situations the corresponding code uses rw-rw-rw- for files and rwxrwxrwx for directories, leaving the removal of permissions to the default ACLs (or in their absence to the umask).

The default ACLs (or the umask) do not add effective permissions, but can only remove some. Thus, the invoking code's choice for x is respected, even if the default ACLs include the x for directories.

Robert Siemer
  • 2,081